IT Security, News, Week in review

Week in review: 5G IoT security, efficient password cracking for pentesters, supply chain examination

Here’s an overview of some of last week’s most interesting news and articles:

5G IoT security: Opportunity comes with risks
Slowly but surely, 5G digital cellular networks are being set up around the world. It will take years for widespread coverage and use to be achieved, so what better time than now for finding a way to ease into it while keeping security in mind?

Cybersecurity company benefits should reduce stress but don’t
From start-ups to Silicon Valley giants, tech company employees work in some of the most luxurious offices in the world, especially as the best of businesses battle to attract top talent. For those of us in high-anxiety fields, some attempts have been made to alleviate stress by offering more unique perks. While the goal is admirable, many of these cybersecurity company benefits miss the mark.

G Suite admins get restricted security code option
Earlier this year, Google provided G Suite admins and users with a new 2FA option: one-time security codes based on security keys.

Crooks are exploiting unpatched Android flaw to drain users’ bank accounts
Hackers are actively exploiting StrandHogg, a newly revealed Android vulnerability, to steal users’ mobile banking credentials and empty their accounts, a Norwegian app security company has warned.

Review: Cyber Smart
Do you believe you’re not interesting or important enough to be targeted by a cybercriminal? Do you think your personal data doesn’t hold any value? Bart R. McDonough proves why those beliefs are wrong in his book Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals.

CrackQ: Efficient password cracking for pentesters and red teamers
CrackQ employs automation to make password cracking a faster and more efficient undertaking for pentesters and red teamers.

Prevent credential stuffing and account takeover attacks with these expert tips
Account takeover and credential stuffing attacks are two security threats that often go hand in hand. Both have become alarmingly prominent: a recent report found that one-fifth of account openings so far in 2019 have been fraudulent.

How are enterprises coping with the security challenges brought on by digital transformation initiatives?
451 Research has polled IT decision makers at 400 larger companies about the current state of cybersecurity in their organizations, the security initiatives they have planned, the challenges they face, and how they are accommodating emerging technologies and digital transformation initiatives.

What do cybercriminals have in store for 2020?
As we look to 2020 and a new decade, cybersecurity will continue to be a top priority for businesses and consumers alike. To help organizations prepare for the next year and beyond, Experian released its forecast, which predicts the top five threats businesses and consumers should be aware of in order to keep their information safe.

Supply chain examination: Planning for vulnerabilities you can’t control
Seemingly, there are numerous occurrences when the customer’s personally identifiable information stored by an organization’s third-party provider is set loose by malicious intentioned actors. Threats take on many different shapes and sizes and aren’t someone else’s problem or responsibility to control or mitigate.

December 2019 Patch Tuesday forecast: Make sure to deploy year-end updates
Can you believe another year has passed and we’re approaching the last Patch Tuesday of the year? While I get ready to make another online gift purchase with my credit card, I can’t help but reflect on the security activity over the past twelve months. Some of these hit close to home.

How DNS filtering works and why businesses need it
The Domain Name System (DNS) is a cornerstone of the internet. DNS servers connect URL names that humans can read to unique Internet Protocol (IP) addresses that web browsers can understand. Without DNS, we’d all be typing in long, seemingly random combinations of characters and numbers in order to get anywhere online! However, this dependency opens up the possibility for misuse. From domain hijacking and cache poisoning to Denial of Service attacks, DNS is no stranger to being attacked or even scarier, being an attack vector!

CPoC: New data security standard for contactless payments
The PCI Security Standards Council (PCI SSC) published a new data security standard for solutions that enable merchants to accept contactless payments using a commercial off-the-shelf (COTS) mobile device with near-field communication (NFC).

Avoiding the next breach: Four tips for securing your apps
As security incidents continue to be an ongoing threat to businesses on a daily basis, keeping security procedures up-to-date and avoiding the next breach have become paramount.

2019 experienced massive spate of crypto crimes, $4.4 billion to date
With only seven months left for nations to pass laws and virtual asset service providers (VASPs) to comply with the guidelines, the majority of cryptocurrency exchanges are not equipped to handle basic KYC, let alone comply with the stringent new funds Travel Rule included in the updated Financial Action Task Force (FATF) guidance, according to CipherTrace.

The hidden risks of cryptojacking attacks
Given the very public repercussions of certain types of breaches, it can be easy for executives and IT professionals to focus attention on only the most notable attacks. However, numerous industry studies have found that a quiet threat, known as cryptojacking, is rising faster than any other type of cyber incident.

Hacking robotic vehicles is easier than you might think
Robotic vehicles like Amazon delivery drones or Mars rovers can be hacked more easily than people may think, a research from the University of British Columbia suggests.

Webinar: How to secure complex, multi-cloud environments
In this 30-minute webinar for CISOs, Security Engineers, Architects, and SOC Teams, learn how to gain the visibility and context necessary to properly secure multi-cloud applications.

(ISC)2 offers Lab courses to help build technical skills in cybersecurity
(ISC)2 announced that its Professional Development Institute (PDI) now offers five Lab courses designed to help build technical skills in cybersecurity.

20th century fox, CCXP, Comic Con Experience, entertainment, film, Free Guy, Gaming & Culture, IT Security, ryan reynolds, Trailers

A nebbishy bank teller discovers he’s trapped in a video game in Free Guy

[embedded content]
Ryan Reynolds stars in Free Guy.

A lowly bank teller discovers he’s actually a non playable character in an open-world video game in Free Guy, a forthcoming film from 20th Century Fox. Director Shawn Levy debuted the first trailer this weekend at the 2019 Comic Con Experience (CCXP) in Sao Paulo, Brazil, describing it as “a superhero origin story except without the tights, powers, or pre-existing IP,” according to Deadline Hollywood. Stars Ryan Reynolds and Joe Keery (Steve Harrington on Stranger Things) were also on hand for the event.

Per the official synopsis, Free Guy is about “a bank teller who discovers he is actually a background player in an open-world video game, decides to become the hero of his own story…one he rewrites himself. Now in a world where there are no limits, he is determined to be the guy who saves his world his way…before it is too late.”

The trailer opens with cheery bank teller Guy (Reynolds) waking up and heading to work. He remains completely unfazed as he encounters all manner of bizarre occurrences en route: shootouts, explosions, a guy with a flame-thrower, and his pal Joe getting thrown through a storefront window. (“Whoa-ho! Mondays! Amirite, Joe?”)

  • Guy (Ryan Reynolds) is a lowly bank teller. Or is he?
    YouTube/20th Century Fox
  • Mondays, amirite?
    YouTube/20th Century Fox
  • Guy, this is not a normal thing to see on your way to work
    YouTube/20th Century Fox
  • Every day, Guy’s bank gets robbed.
    YouTube/20th Century Fox
  • When Guy defeats the robber and takes his glasses, the world looks totally different
    YouTube/20th Century Fox
  • Yep, it’s a video game.
    YouTube/20th Century Fox
  • A new perspective on his world.
    YouTube/20th Century Fox
  • Guy is apologetic about having to engage in violence.
    YouTube/20th Century Fox
  • He finds an ally in Milly/Molotov Girl (Jodie Comer)
    YouTube/20th Century Fox
  • Taika Waititi plays Antione, a developer
    YouTube/20th Century Fox
  • Joe Keery plays programmer Keys
    YouTube/20th Century Fox
  • “Enjoy your lifetime supply of virginity.”
    YouTube/20th Century Fox
  • Two Glocks get the pair out of a tight spot
    YouTube/20th Century Fox
  • Let’s assume video game physics applies.
    YouTube/20th Century Fox

Guy’s bank gets robbed every day, but this particular day, he decides to fight back, “killing” one of the robbers (“He’s just resting”) and taking possession of the dead man’s glasses. When he walks out of the bank and puts on the glasses, his perspective shifts dramatically: he sees the “world” as it really is—one elaborate video game. The bank heist is just one of the “missions” players undertake in the course of the game.

Guy picks up the ground rules governing the game pretty quickly, starting with a “first aid” token that heals his broken nose. “Is this what recreational drugs feels like?” he asks a random motorist. He also finds an ally in Milly, aka Molotov Girl (Killing Eve‘s Jodie Comer), who is able to move in and out of the game at will. Meanwhile, game developer Antoine (Taika Waititi) has plans to shut the game down, against the objections of a programmer, Keys (Keery). Keys and Milly created the code that resulted in Guy—who is supposed to be a non playable background character—becoming aware of his virtual environment.

At CCXP,  Reynolds described the film as “a modern-day Back to the Future for this generation.” Tonally, I get the comparison, but Free Guy also has recognizable elements from Westworld, The Matrix, Wreck It Ralph, and even the Deadpool movies. “It’s not just spectacle — it’s very much connected to the characters,” Levy said. “It’s the rise of an idealist in a world that is very cynical and dark.” That should make it the perfect vehicle for Reynolds’ sweetly acerbic irreverence.

Free Guy will hit theaters July 3, 2020.

Listing image by YouTube/20th Century Fox

Complete Technology Solutions ransomware, Herb Miner, IT Security, Medix Dental, PerCSoft, Ransomware, rEvil, Sodinokibi, Thomas Terronez

Ransomware at Colorado IT Provider Affects 100+ Dental Offices

A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack this week that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned.

Multiple sources affected say their IT provider, Englewood, Colo. based Complete Technology Solutions (CTS), was hacked, allowing a potent strain of ransomware known as “Sodinokibi” or “rEvil” to be installed on computers at more than 100 dentistry businesses that rely on the company for a range of services — including network security, data backup and voice-over-IP phone service.

Reached via phone Friday evening, CTS President Herb Miner declined to answer questions about the incident. When asked about reports of a ransomware attack on his company, Miner simply said it was not a good time and hung up.

The attack on CTS comes little more than two months after Sodinokibi hit Wisconsin-based dental IT provider PerCSoft, an intrusion that encrypted files for approximately 400 dental practices.

Thomas Terronez, CEO of Iowa-based Medix Dental, said he’s heard from several affected practices that the attackers are demanding $700,000 in bitcoin from some of the larger victims to receive a key that can unlock files encrypted by the ransomware.

Others reported a ransom demand in the tens of thousands of dollars. In previous ransomware attacks, the assailants appear to have priced their ransom demands based on the number of workstation and/or server endpoints within the victim organization. According to CTS, its clients typically have anywhere from 10 to 100 workstations.

Terronez said he’s spoken with multiple practices that have been sidelined by the ransomware attack, and that some CTS clients had usable backups of their data available off-site, while others have been working with third party companies to independently negotiate and pay the ransom for their practice only.

Many of CTS’s customers took to posting about the attack on a private Facebook group for dentists, discussing steps they’ve taken or attempted to take to get their files back.

“I would recommend everyone reach out to their insurance provider,” said one dentist based in Denver. “I was told by CTS that I would have to pay the ransom to get my corrupted files back.”

“My experience has been very different,” said dental practitioner based in Las Vegas. “No help from my insurance. Still not working, great loss of income, patients are mad, staff even worse.”

Terronez said the dental industry in general has fairly atrocious security practices, and that relatively few offices are willing to spend what’s needed to fend off sophisticated attackers. He said it’s common to see servers that haven’t been patched for over a year, backups that haven’t run for a while, Windows Defender as only point of detection, non-segmented wireless networks, and the whole staff having administrator access to the computers — sometimes all using the same or simple passwords.

“A lot of these [practices] are forced into a price point on what they’re willing to spend,” said Terronez, whose company also offers IT services to dental providers. “The most important thing for these offices is how fast can you solve their problems, and not necessarily the security stuff behind the scenes until it really matters.”

bernie sanders, broadband, IT Security, Policy

Bernie Sanders vows to break up huge ISPs and regulate broadband prices

Bernie Sanders speaking into a microphone and gesturing with his hand.

Enlarge / Bernie Sanders speaks to the Organic Farmers Association on December 05, 2019 in Story City, Iowa.
Getty Images | Win McNamee

Presidential candidate and Vermont Senator Bernie Sanders yesterday released a plan to overhaul the US broadband market by breaking up giant providers, outlawing data caps, regulating broadband prices, and providing $150 billion to build publicly owned networks.

“The Internet as we know it was developed by taxpayer-funded research, using taxpayer-funded grants in taxpayer-funded labs,” the Sanders plan said. “Our tax dollars built the Internet, and access to it should be a public good for all, not another price-gouging profit machine for Comcast, AT&T, and Verizon.”

If enacted, Sanders’ “High-Speed Internet for All” plan would be the polar opposite of the Trump administration’s treatment of broadband companies and far more aggressive than the regulatory approach of the Obama administration. Sanders pledged to “use existing antitrust authority to break up Internet service provider and cable monopolies,” specifically by “bar[ring] service providers from also providing content and unwind anticompetitive vertical conglomerates.”

Perhaps most notably, this could force Comcast to divest NBCUniversal and force AT&T to divest Time Warner. Of course, a US president can’t simply issue an order to break up these companies. But if Sanders is elected, he could nominate Department of Justice officials who are likely to file antitrust lawsuits against the companies that dominate the broadband industry.

Bring back Title II regulation

Sanders also pledged to regulate broadband providers as common carriers under Title II of the Communications Act, reinstate net neutrality rules, and impose other pro-consumer rules. This could be achieved via legislation, appointments of aggressive regulators to the Federal Communications Commission, or a combination of both.

Sanders said he would “eliminate data caps and ban throttling” and “instruct the FCC to regulate broadband Internet rates so households and small businesses are connected affordably.” This would include a requirement “that all Internet service providers offer a Basic Internet Plan that provides quality broadband speeds at an affordable price.”

The FCC is an independent agency, so it wouldn’t have to do what Sanders says. But if Sanders was president, he could nominate commissioners and appoint a chairperson who is likely to carry out his wishes.

$150 billion

Sanders also proposed investing heavily in infrastructure, particularly in government-run networks. He pledged to “provide $150 billion through the Green New Deal in infrastructure grants and technical assistance for municipalities and/or states to build publicly owned and democratically controlled, co-operative, or open-access broadband networks.”

Sanders vowed to preempt 19 state laws that limit the spread of municipal broadband. That could require help from Congress, as the Obama-era FCC’s attempt to preempt such laws was overturned in court.

Presidential candidate Elizabeth Warren has proposed an $85 billion broadband plan, while candidate Joe Biden has proposed $20 billion for rural broadband.

Many US residents lack fast Internet service today because broadband monopolies “don’t provide service to anyone who can’t afford it, or install it in areas where it won’t make them as much money as their shareholders demand,” the Sanders plan said. Meanwhile, broadband monopolies “exploit their dominant market power to gouge consumers and lobby government at all levels to keep out competition.”

Sanders compared his plan to President Franklin D. Roosevelt’s “promise to deliver electricity to every home in America in 1935, a time when 90 percent of rural households lacked it.”

Sanders’ $150 billion proposal includes a Department of Agriculture Rural Utility Service program “to provide capital funding to connect all remote rural households and businesses and upgrade outdated technology and infrastructure, prioritizing funding for existing co-ops and small rural utilities.” Sanders said that $7.5 billion should be set aside for tribal areas and that all public housing should provide free broadband to residents.

Sanders said the $150 billion investment will “ensure that communities stay connected during natural disasters.” Sanders also proposed a full review of broadband networks to make sure they are “resilient to the effects of climate change.”

Sanders aims to lower prices

US government plans for broadband often focus on network access without talking much about lowering prices. Sanders wants to do both. His plan said:

Large Internet service providers have enjoyed government funding, protection from competition, and light regulation while gouging customers with some of the highest prices for service in the world. Bernie will regulate these providers like a utility. The FCC will review prices and regulate rates where necessary, ensuring areas without competition aren’t able to run up prices.

Moreover, Sanders proposed eliminating the hidden fees broadband providers use to make the actual cost higher than their advertised rates. ISPs would have to “clearly state the cost of service” and not impose “unexpected rate increases” or “service termination fees.”

Sanders also wants the FCC to define broadband as a minimum of 100Mbps download speeds and 10Mbps uploads, instead of the current 25Mbps down and 3Mbps up. Sanders would also “reinstate and expand privacy protection rules,” reversing the Trump-era decision to eliminate broadband-privacy rules.

Amazon Studios, Eddie Redmayne, entertainment, film, Gaming & Culture, IT Security, The Aeronauts

The Aeronauts brings the joy and perils of Victorian ballooning to vivid life

Eddie Redmayne and Felicity Jones star in <em>The Aeronauts</em>

Enlarge / Eddie Redmayne and Felicity Jones star in The Aeronauts
Amazon Studios

Just in time for the holiday season, Amazon Studios has released The Aeronauts, a soaring historical adventure film about the perils faced by a Victorian scientist and a balloonist attempting to fly higher than anyone before them. Granted, the characters might be a bit thinly drawn when it comes to emotional depth, and the earth-bound first act is solid, if unremarkable, period drama. However, once the film (literally) gets off the ground, it blossoms into a gripping, thoroughly entertaining epic tale of survival at punishing altitudes. Above all, the film looks spectacular; every frame is practically a canvas, painted in vibrant, almost Disney-esque hues.

(Some spoilers below.)

The Aeronauts is a fictionalized account of a historic balloon flight by pioneering meteorologist James Glaisher. He and his pilot, Henry Coxwell, made several balloon flights to measure the temperature and humidity of the upper atmosphere between 1862 and 1866. Armed with scientific instruments and bottles of brandy, Glaisher and Coxwell set a world-altitude record, reaching an estimated 38,999 feet (11,887 meters) on September 5, 1862. They were the first men to reach the atmospheric stratosphere, and they did it without the benefit of oxygen tanks, pressure suits, or a pressurized cabin.

During the flight, the men released pigeons at various altitudes to see how well they flew, recalling that those released above the three-mile mark “dropped like a stone.” They would have continued rising and likely died because the valving rope Coxwell needed to manipulate to begin their descent got tangled up with the balloon net. Coxwell had to climb out of the basket and up into the rigging to release the valve with his teeth—his hands were badly frostbitten—in order to begin their descent. By then, Glaisher had passed out. Eventually, the men landed safely (if a bit roughly) about 20 miles from their original launch point.

The film version recreates many of those elements, but while Glaisher is a primary character (played by Eddie Redmayne of The Theory of Everything) in The Aeronauts, writer/director Tom Harper opted to replace Coxwell with a fictional female character, Amelia Wren (Felicity Jones, also of The Theory of Everything). It opens with a frustrated Glaisher trying in vain to convince his scientific colleagues of the potential of ballooning to enable better study of Earth’s atmosphere, resulting in more accurate weather prediction. Meanwhile, a widowed Amelia is facing pressure from her mother and sister to remarry and leave her ballooning adventures with her late husband behind her. When Glaisher offers Amelia a job piloting a balloon higher than anyone has attempted before, she is initially reluctant, but then accepts. They end up facing far more peril than they bargained for.

Up, up, and away

Harper wanted his sky-borne scenes to be as authentic as possible. These were by far the most challenging aspect of the production, since he wanted to shoot his actors in an actual balloon at 2,000 feet. According to co-producer Todd Lieberman, that involved finding someone willing and able to build an 80-foot helium-filled (as opposed to a hot air) balloon—and someone willing and able to fly it. A company called Flying Pictures, headed by Colin Prescot, obliged. Prescot also brought renowned Swedish aeronaut Per Lindstrand aboard to pilot the balloon. (Lindstrand famously made a series of transoceanic hot-air balloon flights in partnership with Sir Richard Branson.)

“I think a balloon of this kind hadn’t been built in over four decades, and this might be the first replica of a period balloon of that era ever built,” said Lieberman.

  • Eddie Redmayne plays Sir James Glaisher.
    YouTube/Amazon
  • Glaisher and his friend John Trew (Himesh Patel) spot a balloon in the distance.
    YouTube/Amazon Studios
  • “Prove them wrong, James.” Tom Courtenay plays Glaisher’s father, Arthur.
    YouTube/Amazon
  • Glaisher persuades female aeronaut Amelia Wren to take him into the skies. She’s played by Redmayne’s Theory of Everything co-star, Felicity Jones.
    YouTube/Amazon Studios
  • Amelia Wren lost her husband in a ballooning accident.
    YouTube/Amazon
  • Preparing for launch.
    YouTube/Amazon
  • Amelia knows how to please the crowd.
    YouTube/Amazon Studios
  • The duo takes one final bow before takeoff.
    YouTube/Amazon Studios
  • Unknown territory above.
    YouTube/Amazon
  • Fluttering butterflies.
    YouTube/Amazon
  • Into the stratosphere.
    YouTube/Amazon
  • Suffering the ill effects of high altitude.
    YouTube/Amazon
  • A resolute Amelia knows she must manually release the valve to begin their descent.
    YouTube/Amazon Studios
  • Scaling the iced-over balloon.
    Amazon Studios
  • Amelia passes out.
    YouTube/Amazon Studios
  • Glaisher lends a helping hand.
    YouTube/Amazon

Every crew member went up in a balloon just to experience what it was like, and Felicity Jones went to Germany for gas-balloon flight training (as well as acrobatics) to prepare for her role as Amelia. For the actual filming at altitude, the pilot crouched low in the basket while cameras mounted on helicopters and drones captured the action. That really is Jones climbing up and sitting on the balloon’s hoop, although she wore a protective harness that was subsequently removed in post-production. As for the scene where Amelia must climb up the side of the ice-encrusted balloon—a stuntwoman actually performed that feat at altitude, with close-ups and other footage for the scene filmed on a sound stage outfitted with a 180-foot crane.

“The hardest part of these ballooning expeditions, we learned, is landing them,” said Lieberman. “The wind dictates where the balloon goes.” The crew relied on WhatsApp group chats and chase vehicles to follow the balloon’s path while it was making its descent to figure out where it was likely to land. “It was a less-than-ideal landing, to say the least, but we got them down safely,” said Lieberman.

“The hardest part of these ballooning expeditions, we learned, is landing them.”

While it wasn’t possible to film at 37,000 feet, the filmmakers went to great lengths to replicate those conditions on set. Redmayne spent some time in an oxygen-deprivation tank to get a feel for the effects of hypoxia. And when shooting the scenes when the balloon was freezing over, part of the set was cooled down to below freezing, while Redmayne and Jones would plunge their hands into buckets of ice before scenes.

“Not only were they acting as if they were freezing,” said Leiberman, “they actually were freezing.”

An amalgamation of history

The Aeronauts takes pains with regard to historical accuracy, although as Lieberman noted, “We weren’t making a documentary.” While Glaisher and Coxwell’s historic feat provided the basis for the main story, many other details of the fictionalized flight were taken from a book of historical ballooning accounts called Falling Upwards by Richard Holmes. Intrepid aeronauts of the past really did make a parachute of the balloon and witness butterflies at surprisingly high altitudes. And per Lieberman, an aeronaut named Charles Green—inventor of the trail rope as an aid to steering and landing a balloon, among other accomplishments—really did summit the side of a balloon, albeit at a lower altitude than is portrayed in the film.

The decision to replace Coxwell with the fictionalized Amelia proved controversial. Tthe Royal Society’s head of library, Keith Moore, told The Daily Telegraph last year, “It’s a great shame that Henry isn’t portrayed because he performed very well and saved the life of a leading scientist,” adding that he wished the film had chosen to include one of the “many deserving female scientists of the period.”

Amelia was actually inspired by several historical female aeronauts, most notably Sophie Blanchard, the first woman to find work as a professional balloonist when her balloonist husband, Jean-Pierre, died. (The account of Amelia’s husband’s death in the film was inspired by the real demise of aviator Thomas Harris in 1824.) The flamboyant couple used dogs at their launches, as portrayed in the film, and often set off fireworks. In fact, that’s how Blanchard died in 1819: during an ascent, one of the fireworks set the balloon on fire. British aeronaut Margaret Graham and American aviator Amelia Earhart were also influential as Harper was developing the character.

“The idea of two scientists sitting in a basket going up and down who shared the same basic outlook on life didn’t hold much tension,” said Lieberman. “So we decided to do an amalgamation: take the best of these different flights from the time period and find a counterpoint to James Glaisher.”

Glaisher really did struggle to raise funding for his expeditions from the Royal Society. His eventual success resulted in his becoming president of the newly formed Royal Meteorological Society just five years after his historic flight with Coxwell. In the end, The Aeronauts is an uplifting story, both literally and figuratively—just as the filmmakers intended.

The Aeronauts is now playing in theaters.

ars cardboard, board gaming, Gaming & Culture, horrified, IT Security, Monsters

Review: Horrified is a terrific family-friendly monster-themed board game

Review: Horrified is a terrific family-friendly monster-themed board game

Enlarge
Welcome to Ars Cardboard, our weekend look at tabletop games! Check out our complete board gaming coverage at cardboard.arstechnica.com.

Some folks use “family game” as a pejorative. Not me. For one thing, I happen to like my family. More importantly, as a player and critic of board games, it is my holy duty to introduce as many games as possible to my family. In the cardboard eschaton, all games shall be family games, because families will play anything and everything together.

With that very important disclaimer out of the way, it’s now time to announce that Prospero Hall’s Horrified is my favorite family game of the year.

Better than Pandemic?

Let me rag on a game that I happen to respect for a minute.

My hang-up with the popular co-op disease-fighting game Pandemic is that it’s always making things harder for its players. To some degree, that’s a surefire formula for a cooperative game, and Pandemic should know; it set the standard for the genre. Every turn you can fix one problem, maybe two, but three new problems spill onto the board. Before long, the game board can look like an overwhelming pile of disease cubes.

But Horrified takes that formula by the neck and gives it a good wringing. The result feels familiar—but the game rewards its players rather than constantly punishing them. In Horrified, you’re the cure, not merely the treatment.

Welcome to the world’s most unfortunate town

Enlarge

Imagine living in a town that’s already hemorrhaging citizens to Dracula when the Creature from the Black Lagoon wades up and starts snacking on picnickers. Also, the Invisible Man is peeping on everybody’s significant other, Frankenstein’s Monster keeps strangling bystanders, the Wolf Man has been fetching femurs that are still attached to their owners, and the Mummy is smashing records for biggest box office flops.

That’s Horrified in a nutshell. Two or three classic monsters are all terrorizing your town at the same time, and it’s your task to defeat, seal away, or cure them before they murder too many of your neighbors. It’s a bad, bad place to live—but at least houses are affordable.

Game details

Designer: Prospero Hall
Publisher: Ravensburger
Players: 1-5
Age: 10+
Playing time: 60 minutes
Price: $35 (buy at Amazon)

The turn-by-turn procedure here will be familiar to anyone who’s played a cooperative game in the vein of Pandemic. Everyone has their own character, complete with some minor power that defines how they play, like teleporting to a friend’s location or gathering objects from afar. With only a handful of actions, you move about town, collecting items and ushering bystanders safely to their destinations. The danger is that nearby monsters might activate in between each player’s turn. Rather than being inevitable, these appearances are governed by a separate deck. Sometimes a monster will remain stationary, dormant but dangerous. Other times it will sprint across multiple spaces to maul somebody—or even spring special abilities on you.

These monsters are what make Horrified special. They’re each billed as unique, with their own behaviors and means of defeat. In practice, though, some of their traits are closer than they ought to be; expect to see plenty of goals that require you to spend matching items in the monster’s space. But for every disappointing objective, there are two made of sterner stuff. In the midst of gathering items and fleeing from the shadows, you might take a detour to hunt through the swamp to solve a hieroglyphic puzzle at the museum or to prevent Frankenstein’s Monster from reuniting with his Bride, at least until you’ve prepared the perfect first date. The real test is when these challenges are combined. Breaking all of Dracula’s coffins isn’t hard, but braving those hidden vampire lairs while you’re being robbed blind by the Invisible Man and staying far away from the Wolf Man? That’s when things get interesting.

  • Don’t let her die!
    Dan Thurot
  • Behold the over-the-top monster poses.
    Dan Thurot
  • Dan Thurot
  • Dan Thurot

A campy horror yarn for the whole family

The appeal of Horrified is that it’s every bit as easy to explain to newcomers as what I’ve written above. Easier, really. Among experienced players, it might even seem too simple, with only a handful of actions to select from. But everything about it, from its crisp interface to the transparency of its board state, is designed to lure in the unsuspecting.

Consider how campy it is. Rather than shooting for horror, it’s “scary” the way a bad throwback movie is scary, with unconvincing rubber body suits and stilted acting by performers who plainly believe they’re cut out for Broadway instead of this moving picture fad. The colors are bright, and the monster miniatures are posed with exaggerated goofiness. But it’s a trick. Twenty minutes later, you’re sweating the proximity of the Creature to some pedestrians and wondering if you can return those scrolls to the museum in time.

In other words, this game is entirely possible to lose. All those deaths gradually add up, whether they are your own or those of the cardboard townsfolk cowering on the table. Lose too many people and the monsters win. But each loss feels more immediate than a disease cube could ever be. That masticated villager wasn’t a statistic; he was Fritz the Hunchback, at home in the tower but trying to reach the institute for safety. I didn’t quite grasp this until my sister smacked the table in frustration when we lost a villager we’d been guiding across town. By giving those cardboard cutouts a name and a goal, Prospero Hall has made them a little bit more human. Our brains are weird like that.

Not that I should be surprised. Prospero Hall has been doing some great work these past few years, including the board game adaptation of Jaws from earlier this year, and each release only grows more assured and more personal. Horrified continues that tradition. It’s the sort of game you can take to dinner with your extended family. Better yet, it’s one of those rare games everyone will be able to dig into.

asteroid, bennu, IT Security, Science, Space exploration

No one knows why rocks are exploding from asteroid Bennu

A composite image of a short and long exposure photograph of Bennu showing the largest particle ejection on January 6, 2019.

Enlarge / A composite image of a short and long exposure photograph of Bennu showing the largest particle ejection on January 6, 2019.
NASA | Goddard | University of Arizona | Lockheed Martin

For the last year, NASA’s OSIRIS-REx spacecraft has been circling a large asteroid named Bennu that regularly passes uncomfortably close to Earth. The spacecraft has been painstakingly mapping the asteroid’s rocky surface using a suite of cameras and other instruments that will help it determine where to land next year. Once NASA selects a final landing site, OSIRIS-REx will kiss Bennu just long enough to scoop up a sample to bring back to Earth in 2023.

Many scientists expect the Bennu sample to revolutionize our understanding of asteroids, especially those that are near Earth and pose the greatest threat from space to life as we know it. But as detailed in a paper published this week in Science, NASA has already started making surprising discoveries around this alien world. Earlier this year, the OSIRIS-REx team witnessed particles exploding from the asteroid’s surface—and the team’s not sure why.

“No one has ever seen an active asteroid up close like this,” says Carl Hergenrother, an astronomer at the University of Arizona and the scientist who proposed Bennu as the target for OSIRIS-REx. “It wasn’t that long ago that the conventional wisdom was that asteroids are these dead bodies that didn’t change very much.”

In January, the navigation cameras on OSIRIS-REx captured three ejection events that each spewed about 100 centimeter-sized asteroid particles into space. The spacecraft also detected a significant number of particles orbiting Bennu like a cloud of gnats. Their diverse orbits suggest that particle ejections are a common event on the asteroid and occur all across its surface, rather than in a few select spots. Indeed, in the year since the three ejection events that are reported today in Science, Hergenrother says OSIRIS-REx has detected several other smaller ejections.

Asteroid Bennu isn’t really “alive” because it doesn’t have a heated core necessary for geological activity, but as Hergenrother and his colleagues discovered, it’s not exactly dead either. It’s a space zombie roaming the solar system, sneezing out small rocks. Some quickly return to the surface like a cannonball, while others escape into the vast emptiness of deep space. But what’s really intriguing, says Hergenrother, are the rocks that end up in orbit around Bennu and become miniature moons for a few days before returning to the surface.

“What we’re seeing is something we would have never been able to see from the ground,” Hergenrother adds. “So the question that is still on our minds is, ‘Are we seeing a lower-intensity process that is similar to what happens on other active asteroids, or is this something entirely different?'”

Massive ejections

Scientists have seen massive ejections from about two dozen asteroids as they pass by Earth, but the mechanisms invoked to explain why these asteroids are ejecting material don’t work for Bennu. The centrifugal force of an asteroid’s spin, for example, could eject material from the surface, but it can’t account for the range of particle orbits seen by OSIRIS-REx. Likewise, the sublimation of ice water—the same phenomenon that produces a comet’s tail—can’t explain what’s happening on Bennu because OSIRIS-REx witnessed particle ejections on parts of Bennu that get way too hot to host ice.

Hergenrother says the OSIRIS-REx team has narrowed the mystery to two possible causes. One potential culprit is the extreme temperatures on Bennu, which range from 115°C to -73°C (240°F to -100°F). The stress from this transition can cause particles to crack and fly apart like popcorn. Another possibility is that Bennu is getting bombarded with micrometeoroids that kick up the particles when they strike the surface.

Unfortunately, OSIRIS-REx won’t be hanging around Bennu long enough to resolve the mystery on its own, according to Hergenrother. There is a lot more science to be done before the spacecraft departs for Earth, so the mystery of Bennu’s particle eruptions might have to be shelved—for now.

But given how little we know about asteroids, Hergenrother says there’s a strong case to be made for a dedicated mission to study the phenomenon on another asteroid in the future.

This story originally appeared on wired.com.

IT Security

Balancing Digital Transformation and Security

Governance , IT Risk Management

Kaspersky’s Claire Hatcher Describes a Layered Approach Suparna Goswami (gsuparna) • December 6, 2019    


Claire Hatcher, global head of fraud prevention, Kaspersky<//figcaption>

As companies go through a digital transformation, they should keep security top of mind, says Claire Hatcher of Kaspersky, who describes a layered approach.`.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

In a video interview at Information Security Media Group’s recent Cybersecurity Summit in Mumbai, Hatcher also discusses:

  • How to protect personally identifiable information;
  • Taking a balanced approach between security and modernization;
  • The challenges of digital transformation.

Hatcher is the global head of fraud prevention at Kaspersky. Previously, she was director of sales strategy at RSA .

IT Security

How to Make a Security Transformation

Governance , IT Risk Management

RSA’s Ganesh Prasad on Understanding Risk Exposure in a Digital Transformation Suparna Goswami (gsuparna) • December 6, 2019    


Ganesh Prasad, pre-sales manager, India, RSA<//figcaption>

A successful digital transformation journey must include a security transformation journey that includes a careful examination of risks, says Ganesh Prasad of RSA.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

In a video interview at Information Security Media Group’s recentCybersecurity Summit in Mumbai, Prasad talks about:

  • What kind of security posture is needed for digital transformation;
  • Understanding risk exposure under digital transformation;
  • Making sure security is part of business decisions.

Prasad is pre-sales manager, India, at RSA. He has more than 20 years of experience in information technology, of which 10 years are in the security domain.

IT Security

Misconceptions About 'Zero Trust'

Governance , IT Risk Management , Privacy

Forescout’s Steven Hunter on How to Ensure Successful Deployment Suparna Goswami (gsuparna) • December 6, 2019    


Steven Hunter, senior director, system engineering, APJ, Forescout<//figcaption>

A common misconception about the “zero trust” model is that once it’s deployed, network security is no longer required, says Steven Hunter of Forescout.

See Also: Unlocking IAM – Balancing Frictionless Registration & Data Integrity

In a video interview at Information Security Media Group’s recent Cybersecurity Summit in Mumbai, Hunter addresses:

  • Common misconceptions about zero trust;
  • Challenges of coupling access with identity;
  • How to ensure successful implementation of zero trust.

Hunter is senior director, system engineering, APJ, at Forescout. Previously, he spent more than 16 years at Cisco in various roles in Australia and Singapore.

IT Security

AI, Machine Learning and Robotics: Privacy, Security Issues

The use of artificial intelligence, machine learning and robotics has enormous potential, but along with that promise come critical privacy and security challenges, says technology attorney Stephen Wu.

For example, in healthcare, “we’re beginning to see surgical robots … and robots that take supplies from one part of a hospital to another. …You can use AI to help sequence a child’s DNA … and match and identify a condition in very short order,” Wu says in an interview with Information Security Media Group.

But along with those bold technological advances come emerging privacy and security concerns.

“The HIPAA Security Rule doesn’t talk about surgical robots and AI systems,” he notes. Nevertheless, HIPAA’s administrative, physical and technical safeguard requirements still apply, he says.

As a result, organizations must determine, for example, “what kind of security management procedures are touching these devices and systems – and do you have oversight over them?”

Also critical is ensuring that “communications are secure from one point to another,” he points out. “If you have an AI system that’s drawing records from an electronic health record, how is that transmission being secured? How do we know the AI systems drawing [information] from the EHR system has been properly authenticated?”

Fighting Cybercrime

Over the long haul, AI will play an important role in fighting against AI-fueled cyberattacks, Wu adds.

“You have cybercriminals who are beginning to look at AI systems to better attack different networks and different devices. We’re going to need AI systems to defend ourselves in the future against those possible attacks,” he says.

“It’s simply not possible for a human to pay attention to all the different aspects of a network to watch all parts of it and head off attacks as they come in,” he notes. “And there may be attacks that take place within such a small amount of time that it might be hard or impossible for humans to detect them without the assistance of artificial intelligence.”

Wu will serve as a host of an inaugural American Bar Association National Institute of Artificial Intelligence and Robotics conference Jan. 9-10 at the Santa Clara University School of Law, where he and other experts will discuss emerging legal issues.

In the interview (see audio link below photo), Wu also discusses:

  • Other promising applications of AI, machine learning and robotics in various industries;
  • General Data Protection Regulation and other regulatory compliance considerations;
  • Top cybersecurity-related predictions for 2020 involving the use of AI, machine learning and robotics.

In his role as a technology attorney at Silicon Valley Law Group in San Jose, California, Wu focuses on compliance, liability and information governance in emerging areas of technology law. Wu has written or co-written several books on information security and the law. He served as the 2010-2011 chair of the American Bar Association Section of Science & Technology Law. Before joining Silicon Valley Law Group, Wu was a Silicon Valley partner at Cooke Kobrick & Wu LLP.

IT Security

Don't forget the basics: KYE means KYC

Finance & Banking , Industry Specific

Know your enemy: How banks can identify and beat the evolving threat of financial crime Simon VineyDecember 6, 2019    

Don't forget the basics: KYE means KYC

As the old saying doesn’t go, keep your enemies close and your customers even closer. Having a complete overview of your clients and their banking habits – a must for both Know Your Customer (KYC) and basic good customer service practice – means you will inevitably have a greater understanding of your adversaries. This is crucial in the fight against cyber-enabled fraud and other financial crime.

Good housekeeping of customer access, payments and so on is always important, of course, but so too is minimising friction for your valued customers. After all, everybody wants good security but nobody wants to experience a disruption to their service.

“This is driven by increasing specialisation and division of labour. Examples of this collaboration include the attacks on July 20, 2016, where cyber attackers attempted to steal $150 million from a bank in South Asia and then minutes later attacked a bank in West Africa for the same amount. Clearly attackers can coordinate and collaborate in complex attacks across different continents.” 

Education plays a large part in this. “Banks have a duty to communicate about fraudster behaviour with their customers,” says Nick Ryder, Professor in Financial Crime at the University of the West of England. “Banks really need to make their consumers more aware of things like sophisticated email scams claiming to be from the UK ‘Inland Revenue’, for example. If people are new to the internet then they’re going to be susceptible.”

It’s about knowing your customers’ habits thoroughly. You know that your over-65 segment, for example, aren’t likely to be paying money to the relevant income tax authorities regularly.

The problem is that as security systems develop, creative criminals will find new ways to disguise their dealings. Prof Ryder suggests banks look closely at seemingly legitimate operations – “things like people testing their online security. This is a growth area for criminals.” Of course, putting a stop to criminals seeking to test your security and fraud controls is not a viable solution, but continually evolving your security and fraud controls to address your enemies current and future tactics is essential. Equally, sharing intelligence within your organisation is critical; often your cyber team will know information that is incredibly valuable to your fraud team, or vice versa.

Another problem, explains Prof Ryder, is that “laws are always going to be reactionary, as are policies, so it’s like fighting a fire with a small garden hose.” Prevention and early-warning systems are key and this, he says, comes down to knowing customer behaviour extremely well, as well as cyber-crime trends. Banks need to know “which countries are deemed to be at risk, which countries have weak levels of compliance.” This is where banks will be involved in de-risking.

Moreover, knowing the appropriate behaviours of your staff is almost as important as knowing your customer. Insider crime is a real threat and being able to quickly identify when staff activities deviate from normal behaviour is critical in the fight against this. Additionally, when banks are reluctant to bring charges against this type of fraud (usually to guard against negative publicity), it can have an adverse effect on the fight against financial crime.

Good practice when it comes to housekeeping, staff management and high-level Know Your Customer (KYC) will mean banks are far more likely to be able to detect when something’s not right and act to stop or limit the damage caused to their customers and their bottom line.

To find out more, get the full report at a href=https://www.content.baesystems.com/banking-know-your-enemy

IT Security

How the Adversarial Mindset Is Making Cybersecurity Better

Applying offensive hacking expertise and a more adversarial mindset to better hone not just network defenses but also public policy is proving effective, says Jeff Moss, founder and creator of the Black Hat conference (see: Cybersecurity Defenders: Channel Your Adversary’s Mindset).

“This idea of the adversarial mindset stems from: People who started in attack and moved to defense were stunned to find how crazy the defense people were,” Moss says. “They were really smart; they just weren’t doing things that really mattered … [because they were] disconnected from reality,” he says, too often because they didn’t have good information about how criminals or government attackers were hacking them.

All that changed, however, with the rise of large-scale digital forensics firms such as Mandiant that not only investigated intrusions, but publicly released details that spelled out “this is how bad guys are really behaving,” he says in an interview with Information Security Media Group. And that has helped drive more organizations to build red teams that can bring a more adversarial mindset to bear on the organization’s own defenses and help blue teams – defenders – put in place better safeguards.

In this interview (see audio link below the image) recorded at Black Hat Europe 2019, Moss also discusses:

  • The increased use of red teams to help organizations’ blue teams and engineers to be more effective;
  • How private sector incident response findings and research is reshaping the industry;
  • Why efforts to ensure bug-squashing during code design and review does not just aim to fix individual bugs, but whole classes of vulnerabilities.

Moss is the founder and creator of the Black Hat and Def Con conferences and a commissioner of the Global Commission on the Stability of Cyberspace.

IT Security

OnDemand Webinar | Using Security Ratings to Achieve Security Goals

3rd Party Risk Management , Governance

How Ratings Can Be Leveraged To Improve Security Performance And Vendor Risk Management Information Security Media GroupDecember 6, 2019    

As the level of cyber-risk faced by organizations of all shapes and sizes grows every year, security ratings services have emerged as important tools to help companies assess the level of risk imposed by their vendors as well as quantify their own security performance.

However, as the market matures and new players enter, companies need to be careful about which ratings service they look to for vital data.

So how can organizations ensure they choose the right security rating service that enables their team to reduce risk and grow the business safely?

View this webinar OnDemand and learn:

  • What security ratings are;
  • What to look for in a security ratings service;
  • How security ratings fit into the larger security technology picture;
  • How ratings can be leveraged to improve security performance and vendor risk management;
  • How ratings will help your achieve your security goals.
ancient people did stuff, ancient rome, Archaeology, IT Security, Pompeii, roman empire, Rome, Science, Vesuvius

Floor pavements in Pompeii illustrate surveying technology

Floor pavements in Pompeii illustrate surveying technology

Enlarge
L. FERRO, G MAGLI, M. OSANNA

Decorative pavements in the floor of a recently unearthed Roman house in Pompeii offer a glimpse into the life and work of an ancient land surveyor. The pavements depict a stylized drawing of an ancient surveyor’s tool called a groma, along with a diagram of a surveying technique and the plan of a construction project in Pompeii. So far, they’re the only original Roman illustrations of the tools and techniques the Romans used to help build an empire and its infrastructure.

The land surveyor’s house

Only a few metal fragments of a Roman groma exist today (also recovered from Pompeii), and archaeologists have found only a few images carved into surveyors’ tombstones. Otherwise, we know the tool only from descriptions in medieval versions of ancient Roman surveying manuals.

The newly unearthed pavements at Pompeii suggest that those medieval copies were pretty close to the original ancient texts. An image on the floor of the entrance hall is nearly identical to illustrations in medieval copies of Roman texts, attributed to Roman surveyor Hygius and famed architect Vitruvius.

Colored tiles laid into the crushed terracotta pavement depict a circle with a square drawn inside. Lines divide the square into eight equal sections. In Hygius’ and Vitruvius’ texts, the image illustrates how to orient a building to one of the cardinal directions. On the floor of the house, the image shows how the house is oriented in relation to the four cardinal directions: one of the lines points along the length of the house, which faces northeast. Meanwhile, the corners of the square point north, south, east, and west.

The image would have immediately told Roman visitors who owned the house and where he had earned the money to build it. By modern standards, that’s an odd choice of welcome mat, but wealthy Romans often decorated the floors and walls of their homes with images of their professions. That’s why archaeologists think the house may once have belonged to a land surveyor.

Tool of the trade

In a passage connecting the central atrium of the house to the garden, archaeologists found two more decorative images worked into the pavement. One seems to be the stylized image of a groma. Ancient Roman land surveyors and architects would have used a groma to divide farmland into carefully measured parcels called centuriations, to plan developments in cities like Rome and Pompeii, and to lay out the courses of aqueducts and roads.

For some reason, Hygius and Vitrivius didn’t include illustrations of a groma in their texts, so modern scholars have to rely on their descriptions and on fragments of a real groma found at Pompeii. The instrument consisted of a set of crossed arms balanced at the end of a horizontal pole so they could spin freely around the center. Four weighted plumb lines hung from the ends of the arms. A Roman land surveyor would line up two of the plumb lines on a distant point and then use the four arms of the groma to calculate an angle in relation to that line.

That seems to be what’s depicted in the pavement: a cross in a circle, at the top of a long straight line. “The artist had the problem of representing a three-dimensional object on a flat surface and with a relatively crude means of expression but succeeded in showing the fundamental fact,” wrote Massimo Osanna, director of the Pompeii archaeological site, and his colleagues in a recent pre-print paper. The rudimentary image might not scream “groma!” on its own, but in the context of other images related to surveying, it seems likely.

Cyber security, GDPR compliance, IT Risk Management, IT Security, IT Security Governance

OpenBSD bugs, Microsoft’s bad update, a new Nork hacking crew, and more

Meanwhile, the DOJ sets its sights on money mules

Welcome to yet another El Reg security roundup. Off we go.

OpenBSD a little too true to its name

The widely-used OpenBSD operating system is the host of a rather serious security vulnerability.

Researchers with Qualys found and reported, an authentication bypass flaw that would allow an attacker to login without valid credentials.

“We discovered an authentication-bypass vulnerability in OpenBSD’s authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis,” notes Qualys. “For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.”

Admins will want to update their systems as soon as possible.

Microsoft update borks databases

Admins running Microsoft Access might want to hold off on installing the latest patch from Redmond.

This after Microsoft warned that the original patch for the database tool, released on November 12, was causing queries to fail.

While some versions have been updated with a fix to clean up the issue, two others, Access 2013 C2R and Access 2019 Volume License, will not get their fix until December 10.

For those wondering, things like this are part of the reason why some companies are behind on their patching: security fixes can sometimes bring with them other bugs that can cripple important systems.

IBM breaks down Hive0080

No, that’s not the name of the cheesy EDM act your sister’s new boyfriend plays in. It’s the newest North Korean hacking operation.

The team at IBM’s X-Force says that Hive0080 is in many ways like the other APTs operating out of the reclusive dictatorship. The outfit mainly exists to help the sanction-hit nation line its coffers with purloined currency.

“Our analysis of this group’s activity indicates they have been active since at least early 2018 and that their malware and TTPs are linked closely to those employed by North Korean-backed cyber operations groups,” X-Force reports.

“These links suggest that this group is financially motivated and, based on their efforts to stage enterprise data for extraction, may also be attempting to steal intellectual property.”

Beware orphaned Windows Hello TPM keys

Admins will want to read this Microsoft advisory and make sure they are not vulnerable to a security hole caused by mishandling of orphaned TPM keys in Azure Active Directory.

“After a user sets up Windows Hello for Business (WHfB), the WHfB public key is written to the on-premises Active Directory. The WHfB keys are tied to a user and a device that has been added to Azure AD, and if the device is removed, the corresponding WHfB key is considered orphaned,” Microsoft says of the keys.

“However, these orphaned keys are not deleted even when the device it was created on is no longer present.”

Bayrob hackers go down for decades

Bogdan Nicolescu and Radu Miclaus, the Romanian duo behind the Bayrob fraud operation, have been sentenced to 20 and 18 years in prison, respectively.

The pair were found to have infected more than 400,000 people’s with malware and made off with an estimated $4m using a combination of identity theft, phishing and cryptocurrency mining.

DOJ takes aim at money mules

The US Department of Justice has launched a campaign to take down money mule networks across the US.

The “mules”, sometimes unwitting accomplices, are used as the go-between for cybercriminals to get money out of the accounts of victims and wired overseas to accounts controlled by the bad guys. The DOJ hopes it will be able to identify and stop hundreds of these individuals.

“The Money Mule initiative highlights the importance of partnership to stop fraud schemes, and it sends a message to all who are engaged in money mule activity that they will be caught and prosecuted,” FBI director Christopher Wray said of the effort.

Aviatrix VPNs vulnerable

Researchers with Immersive Labs have uncovered a vulnerability in the popular Aviatrix enterprise VPN platform

The elevation of privilege flaw requires the attacker to already have access to the VPN, so it is not a major risk, but admins will still want to update the software as soon as possible, since these bugs can often be chained with other exploits to create a more serious issue.

“Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it,” said Alex Seymour, the Immersive Labs researcher who uncovered the bug.

“People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry.” ®

Sponsored: Technical Overview: Exasol Peek Under the Hood

Cyber security, GDPR compliance, IT Risk Management, IT Security, IT Security Governance

FTC kicks feet through ash pile that once was Cambridge Analytica with belated verdict

Trade boss says long-dead biz was indeed deceiving the public

The US Federal Trade Commission has issued what looks to be a largely symbolic ruling against the remnants of data-harvesting marketers Cambridge Analytica.

In a unanimous 5-0 ruling (PDF) issued on Friday, the trade body declared that the defunct British marketing intelligence operation ran afoul of laws against deceptive business practices and was in violation of the EU-US Privacy Shield Framework.

The findings stem from the FTC’s July complaint filing against Cambridge Analytica, alleging that the political marketing company lied to Facebook users when it pitched its GSRApp as a “personality test” that would not collect or sell identifiable information.

In reality, Cambridge Analytica was found to have collected personal information on tens of millions of people and then used that data to train algorithms for specifically-targeted campaign ads. That, the FTC says, was definitely not legal.

“We conclude that Cambridge Analytica’s representation to App Users who authorized the GSRApp that it would not collect their identifiable information was a false and material, and hence deceptive, claim,” the decision reads.

Additionally, the FTC was charged with deciding whether or not Cambridge Analytica fell afoul of the trans-Atlantic EU US Privacy Shield framework when it let its certification expire, while still telling people outside the company that it was in compliance with the regulations.

“We conclude that Cambridge Analytica’s express representation that it remained a participant in the Privacy Shield framework after its certification had lapsed was false and material, and hence deceptive,” the Commission declared.

Finally, there was the matter of adherence to the Privacy Shield itself, which the company claimed to follow. Again, and not surprisingly, the FTC found the firm in violation of that framework as it had both lost its certification and had failed to notify the US Department of Commerce of the lapse.

man about to become submerged by giant wave of paperwork

Cambridge Analytica didn’t perform work for Leave.EU? Uh, not so fast, says whistleblower

READ MORE

“We find that, by representing that it was compliant with Privacy Shield principles, Cambridge Analytica necessarily represented that it was complying with the Privacy Shield requirement to affirm to Commerce its commitment to continue to apply Privacy Shield protections to the personal information it had collected for as long as it retained this data,” the FTC found.

“This claim was false and misleading because Cambridge Analytica had, in fact, failed to make the required affirmation to Commerce after its Privacy Shield certification lapsed.”

Not that any of this will mean much in the grand scheme of things. Cambridge Analytica was shut down as a going concern last year, and its CEO and App Developer settled their involvement back in July.

Still, the ruling makes it official record that Cambridge Analytica broke the law and was subject to legal action as a result. ®

Sponsored: What next after Netezza?

Cyber security, GDPR compliance, IT Risk Management, IT Security, IT Security Governance

Elon Musk gets thumbs up from jury for use of ‘pedo guy’ in cave diver defamation lawsuit

CEO’s tweeted taunt totally fine, twelve jurors decide

Billionaire Elon Musk did not defame British cave explorer Vernon Unsworth, a Los Angeles jury concluded on Friday.

The trial, which began on Tuesday, followed from Unsworth’s claim that Musk had defamed him by calling him a “pedo guy” on Twitter last year – a term many took to mean pedophile but Musk insisted meant something entirely different.

Unsworth’s attorney Lin Wood had asked for $190m to compensate for damage to his client’s reputation. It took the jury less than an hour to dismiss the claim.

The spat arose after Unsworth brushed off Musk’s offer of a minisubmarine – to help rescue members of a junior soccer team who were trapped in a cave in Thailand between June 23 and July 10, 2018 – as “a PR stunt” and in a TV interview told Musk to “stick his submarine where it hurts.”

Musk, CEO of Tesla, SpaceX, and The Boring Company, apologized and deleted his retaliatory tweet, but defended the jibe as a common insult in his native country South Africa, saying in a court filing that it means “a creep old man.”

James Bond submarine Lotus Esprit car

Billionaire vows to turn 007’s Lotus Esprit into actual submarine car

READ MORE

However, in emails to news site BuzzFeed, he referred to Unsworth as “a child rapist” and said he hoped that he’d be sued by the cave diver.

Musk got his wish and may even have made “pedo guy” safe for public discourse and headline writers.

This is not the first time Musk’s tweeting has resulted in legal action. Last year, he agreed to pay $40m to settle securities fraud charges with the US Security and Exchange Commission based on tweets that he’d made about taking Tesla private again.

Departing court, Musk told reporters, “My faith in humanity is restored.” ®

Sponsored: From CDO to CEO

Cave rescue, Elon Musk, IT Security, pedo guy, Policy, Thailand, Vern Unsworth

Jury sides with Elon Musk in “pedo guy” defamation case

Elon Musk leaves a Los Angeles federal court on Tuesday December 3, 2019.

Enlarge / Elon Musk leaves a Los Angeles federal court on Tuesday December 3, 2019.
Apu Gomes/Getty Images

A Los Angeles federal jury has found Elon Musk not liable for defamation in a lawsuit brought by British caver Vernon Unsworth. Musk dubbed Unsworth a “pedo guy” in a tweet last year, but argued in court that he meant this as a generic insult—not as an accusation that Unsworth was a pedophile.

“My faith in humanity is restored,” Musk reportedly said on his way out of court.

Musk and Unsworth have been trading insults since last July, when Unsworth mocked a miniature submarine SpaceX engineers created to help rescue a dozen boys trapped in a cave in Thailand (it didn’t arrive in time to be useful). In an interview with CNN, Unsworth said that Musk should “stick his submarine where it hurts.”

Musk responded with a tweet labeling Unsworth a “pedo guy” and vowing to prove that the submarine would have been able to squeeze through the narrowest passages in the cave.

A month later, Musk continued to needle Unsworth. “You don’t think it’s strange he hasn’t sued me?” he tweeted in August 2018.

Then Unsworth did sue him. The trial started on Tuesday with testimony from Musk.

Unsworth’s comments were “an unprovoked attack on what was a good-natured attempt to help the kids,” Musk told the court. “It was wrong and insulting, and so I insulted him back.”

“I knew he didn’t literally mean to sodomize me with a submarine, just as I didn’t literally mean he was a pedophile,” Musk said.

Unsworth’s lawyers argued that many people took Musk’s words literally, causing Unsworth “shame, mortification, worry, and distress.”

But the jury found Musk’s arguments more convincing. Or perhaps they simply didn’t view the feud as serious enough to warrant cash damages.

“It was very clear,” one juror said, according to Buzzfeed reporter Ryan Mac. “I don’t want to have anything to do with this,” another added.